Changes between Version 23 and Version 24 of BluePrintAuthenticationAccess


Ignore:
Timestamp:
01/10/09 10:51:39 (13 years ago)
Author:
Fran Boon
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • BluePrintAuthenticationAccess

    v23 v24  
    11This page hosts the detailed specification for the [https://blueprints.launchpad.net/sahanapy/+spec/authentication-authorization Blueprint for Authentication & Access].
    22
    3 Authentication is the process that verifies the identity of a user.[[BR]]
    4 Authorization provides controlled access to protected resources.
     3Authentication is the act of establishing or confirming someone's identity.[[BR]]
     4Authorization is the concept of allowing access to resources only to those permitted to use them.
    55
    6 === Requirements ===
     6== Authentication ==
     7SahanaPy currently authenticates on email address/password.[[BR]]
     8- this is the T2 method.
     9
     10The default configuration is that Self-Registration is enabled.[[BR]]
     11This can be easily disabled:
     12 * Remove the link from the menu in {{{layout.html}}}
     13 * Disable the function in {{{controllers/default.py}}}
     14This manual process should be changed to a single setting in the default_setting table.
     15
     16The email address is currently not verified.[[BR]]
     17- this should be fixed.
     18
     19Sahana2 supports OpenID (as does Launchpad), so that would be good to support & looks easy:
     20 * http://openidenabled.com/python-openid/
     21
     22== Authorization ==
    723We want to be able to provide a simple way of setting the overall security policy - allowing for flexible deployment options.
    824 * Anonymous access is granted for all Read operations, with Create/Update/Delete requiring a user to be Authenticated
    9   * Self-Registration possible
    10   * Self-Registration not possible
    1125 * Anonymous access isn't granted for anything - all access requires a user to be Authenticated
    1226 * Modules able to be restricted by Role membership
     
    1630  * C/R/U/D permissions distinct
    1731
    18 The specification we should be working to implement is in the Wiki:
     32Sahana2 specifications:
    1933 * Proposed Trunk: http://wiki.sahana.lk/doku.php?id=dev:new_acl
    2034 * Current Stable: http://wiki.sahana.lk/doku.php?id=dev:security
     
    2438We also want to look at linking the AAA t2_person table with the Person Registry's person table
    2539
    26 Sahana2 supports OpenID (as does Launchpad ;) ), so that would be good to support & looks easy:
    27  * http://openidenabled.com/python-openid/
    28 
    2940=== Implementation ===
    3041S3 builds on the default T2 AAA system:
     
    3243
    3344Anonymous access is currently granted for all Read operations, with Create/Update/Delete requiring a user to be Authenticated: {{{t2.logged_in}}}
    34  * T2 can extend this by protecting resources with {{{t2.have_membership()}}} (functional check) & {{{t2.have_access()}}} (record-level security)
    35  * we should probably support this by adding hooks into the [wiki:BluePrintREST RESTlike controller]
     45 * T2 can extend this by protecting resources with {{{t2.have_membership()}}} (table level security which can be separated for C/R/U/D) & {{{t2.have_access()}}} (record-level security)
     46 * we should probably support these by adding hooks into the [wiki:BluePrintREST RESTlike controller]
    3647
    37 The system supports Self-Registration, which won't be appropriate for all deployment scenarios.[[BR]]
    38 To disable it requires:
    39  * Removing the link from the menu in {{{layout.html}}}
    40  * Disabling the function in controllers/default.py
    41 If self-registration is disabled then users maintenance can be done via appadmin until we develop our own UI.[[BR]]
    42 This will also be the case for adding extra roles anyway.
     48User maintenance can be done via appadmin until we develop our own UI.[[BR]]
    4349
    4450DRAFT:
     
    5965 * Function components protected with: {{{if not is_admin: t2.redirect('index',flash=T('Not Authorised'))}}}
    6066 * appadmin protected in the same way :)
     67
    6168=== Links ===
    6269 * Working with Realms, Users, Groups, and Roles: http://java.sun.com/javaee/5/docs/tutorial/doc/bnbxj.html